Review the CVE scan workflow

[ahrtr]

What would you like to be added?

Recently there is a glibc CVE https://nvd.nist.gov/vuln/detail/CVE-2026-0861.

It is an OS-level CVE in glibc rather than a Go runtime issue. etcd is built with CGO disabled, so it does not depend on glibc at runtime. It comes from the container base image. Upgrading the base image is recommended, but the etcd binary itself is not affected by this CVE.

But the problem is why our CVE scan workflow did not detect this?

Why is this needed?

to guarantee security and avoid CVE noise

cc @ArkaSaha30 @ivanvc

[ivanvc]

/assign

[ivanvc]

Trivy detects the vulnerability if we scan the released images. #19363 solves this issue. Unfortunately, I haven't been able to get back to that task.

[ivanvc]

I came to this issue yesterday after reviewing other of our PRs that have dependency updates. I scanned the images again with Trivy, but they don't trigger CVE-2026-0861. @ahrtr, which scanner did you use that triggered this CVE?

trivy image gcr.io/etcd-development/etcd:v3.4.40

Report Summary

┌─────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                       Target                        │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ gcr.io/etcd-development/etcd:v3.4.40 (debian 11.10) │  debian  │        4        │    -    │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcd                                  │ gobinary │        4        │    -    │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcdctl                               │ gobinary │        4        │    -    │
└─────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


gcr.io/etcd-development/etcd:v3.4.40 (debian 11.10)
===================================================
Total: 4 (UNKNOWN: 4, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │             Title              │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────┤
│ tzdata  │ DLA-3972-1    │ UNKNOWN  │ fixed  │ 2024a-0+deb11u1   │ 2024b-0+deb11u1 │ tzdata - new timezone database │
│         ├───────────────┤          │        │                   ├─────────────────┤                                │
│         │ DLA-4085-1    │          │        │                   │ 2025a-0+deb11u1 │                                │
│         ├───────────────┤          │        │                   ├─────────────────┤                                │
│         │ DLA-4105-1    │          │        │                   │ 2025b-0+deb11u1 │                                │
│         ├───────────────┤          │        │                   ├─────────────────┤                                │
│         │ DLA-4403-1    │          │        │                   │ 2025b-0+deb11u2 │                                │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────┘

usr/local/bin/etcd (gobinary)
=============================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ CRITICAL │ fixed  │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│         │                │          │        │                   │                              │ Config has ......                                            │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│         │                │          │        │                   │                              │ parsing in net/url                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│         │                │          │        │                   │                              │ archive index in archive/zip                                 │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│         │                │          │        │                   │                              │ in records...                                                │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/etcdctl (gobinary)
================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ CRITICAL │ fixed  │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│         │                │          │        │                   │                              │ Config has ......                                            │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│         │                │          │        │                   │                              │ parsing in net/url                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│         │                │          │        │                   │                              │ archive index in archive/zip                                 │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│         │                │          │        │                   │                              │ in records...                                                │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

trivy image gcr.io/etcd-development/etcd:v3.5.26

Report Summary

┌─────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                       Target                        │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ gcr.io/etcd-development/etcd:v3.5.26 (debian 11.10) │  debian  │        4        │    -    │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcd                                  │ gobinary │        4        │    -    │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcdctl                               │ gobinary │        4        │    -    │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcdutl                               │ gobinary │        4        │    -    │
└─────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


gcr.io/etcd-development/etcd:v3.5.26 (debian 11.10)
===================================================
Total: 4 (UNKNOWN: 4, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │             Title              │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────┤
│ tzdata  │ DLA-3972-1    │ UNKNOWN  │ fixed  │ 2024a-0+deb11u1   │ 2024b-0+deb11u1 │ tzdata - new timezone database │
│         ├───────────────┤          │        │                   ├─────────────────┤                                │
│         │ DLA-4085-1    │          │        │                   │ 2025a-0+deb11u1 │                                │
│         ├───────────────┤          │        │                   ├─────────────────┤                                │
│         │ DLA-4105-1    │          │        │                   │ 2025b-0+deb11u1 │                                │
│         ├───────────────┤          │        │                   ├─────────────────┤                                │
│         │ DLA-4403-1    │          │        │                   │ 2025b-0+deb11u2 │                                │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────┘

usr/local/bin/etcd (gobinary)
=============================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ CRITICAL │ fixed  │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│         │                │          │        │                   │                              │ Config has ......                                            │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│         │                │          │        │                   │                              │ parsing in net/url                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│         │                │          │        │                   │                              │ archive index in archive/zip                                 │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│         │                │          │        │                   │                              │ in records...                                                │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/etcdctl (gobinary)
================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ CRITICAL │ fixed  │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│         │                │          │        │                   │                              │ Config has ......                                            │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│         │                │          │        │                   │                              │ parsing in net/url                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│         │                │          │        │                   │                              │ archive index in archive/zip                                 │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│         │                │          │        │                   │                              │ in records...                                                │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/etcdutl (gobinary)
================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ CRITICAL │ fixed  │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│         │                │          │        │                   │                              │ Config has ......                                            │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│         │                │          │        │                   │                              │ parsing in net/url                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│         │                │          │        │                   │                              │ archive index in archive/zip                                 │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│         │                │          │        │                   │                              │ in records...                                                │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

trivy image gcr.io/etcd-development/etcd:v3.6.7

Report Summary

┌───────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                      Target                       │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ gcr.io/etcd-development/etcd:v3.6.7 (debian 12.9) │  debian  │        0        │    -    │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcd                                │ gobinary │        6        │    -    │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcdctl                             │ gobinary │        4        │    -    │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcdutl                             │ gobinary │        6        │    -    │
└───────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


usr/local/bin/etcd (gobinary)
=============================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-47914 │ MEDIUM   │ fixed  │ v0.42.0           │ 0.45.0                       │ golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of  │
│                     │                │          │        │                   │                              │ Service due to malformed messages                            │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-47914                   │
│                     ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58181 │          │        │                   │                              │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │        │                   │                              │ Service via unbounded memory consumption in GSSAPI           │
│                     │                │          │        │                   │                              │ authentication...                                            │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-58181                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2025-68121 │ CRITICAL │        │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│                     │                │          │        │                   │                              │ Config has ......                                            │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│                     ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│                     │                │          │        │                   │                              │ parsing in net/url                                           │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│                     ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│                     │                │          │        │                   │                              │ archive index in archive/zip                                 │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│                     ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│                     │                │          │        │                   │                              │ in records...                                                │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/etcdctl (gobinary)
================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-68121 │ CRITICAL │ fixed  │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│         │                │          │        │                   │                              │ Config has ......                                            │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│         │                │          │        │                   │                              │ parsing in net/url                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│         │                │          │        │                   │                              │ archive index in archive/zip                                 │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│         │                │          │        │                   │                              │ in records...                                                │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/etcdutl (gobinary)
================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-47914 │ MEDIUM   │ fixed  │ v0.42.0           │ 0.45.0                       │ golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of  │
│                     │                │          │        │                   │                              │ Service due to malformed messages                            │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-47914                   │
│                     ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-58181 │          │        │                   │                              │ golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of  │
│                     │                │          │        │                   │                              │ Service via unbounded memory consumption in GSSAPI           │
│                     │                │          │        │                   │                              │ authentication...                                            │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-58181                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2025-68121 │ CRITICAL │        │ v1.24.11          │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│                     │                │          │        │                   │                              │ Config has ......                                            │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
│                     ├────────────────┼──────────┤        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61726 │ HIGH     │        │                   │ 1.24.12, 1.25.6              │ golang: net/url: Memory exhaustion in query parameter        │
│                     │                │          │        │                   │                              │ parsing in net/url                                           │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61726                   │
│                     ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61728 │          │        │                   │                              │ golang: archive/zip: Excessive CPU consumption when building │
│                     │                │          │        │                   │                              │ archive index in archive/zip                                 │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61728                   │
│                     ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-61730 │          │        │                   │                              │ During the TLS 1.3 handshake if multiple messages are sent   │
│                     │                │          │        │                   │                              │ in records...                                                │
│                     │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-61730                   │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

[ahrtr]

I scanned the images again with Trivy, but they don't trigger CVE-2026-0861. @ahrtr, which scanner did you use that triggered this CVE?

@ArkaSaha30 do you know what tool detected CVE-2026-0861? There is one difference, in our downstream, we enable CGO. Probably it's related.

[ArkaSaha30]

I scanned the images again with Trivy, but they don't trigger CVE-2026-0861. @ahrtr, which scanner did you use that triggered this CVE?

@ArkaSaha30 do you know what tool detected CVE-2026-0861? There is one difference, in our downstream, we enable CGO. Probably it's related.

Looks like the CVE-2026-0861 is coming from the debian-base12 image that is being used in downstream since we need dynamically linked binaries:

arkas1@arkas1-ubuntu-vm:~$ trivy image gcr.io/distroless/base-debian12@sha256:74ddbf52d93fafbdd21b399271b0b4aac1babf8fa98cab59e5692e01169a1348 | grep  -A 2 CVE-2026-0861
2026-02-17T12:57:15+05:30	INFO	[vuln] Vulnerability scanning is enabled
2026-02-17T12:57:15+05:30	INFO	[secret] Secret scanning is enabled
2026-02-17T12:57:15+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-02-17T12:57:15+05:30	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2026-02-17T12:57:15+05:30	INFO	Detected OS	family="debian" version="12.9"
2026-02-17T12:57:15+05:30	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=5
2026-02-17T12:57:15+05:30	INFO	Number of language-specific files	num=0
2026-02-17T12:57:15+05:30	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
│         │ CVE-2026-0861    │          │ affected │                   │                  │ glibc: Integer overflow in memalign leads to heap corruption │
│         │                  │          │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2026-0861                    │
│         ├──────────────────┼──────────┼──────────┤                   ├──────────────────┼──────────────────────────────────────────────────────────────┤

while the upstream static-debian12 is free from any CVEs:

arkas1@arkas1-ubuntu-vm:~$ trivy image gcr.io/distroless/static-debian12@sha256:cd64bec9cec257044ce3a8dd3620cf83b387920100332f2b041f19c4d2febf93
2026-02-17T12:57:50+05:30	INFO	[vuln] Vulnerability scanning is enabled
2026-02-17T12:57:50+05:30	INFO	[secret] Secret scanning is enabled
2026-02-17T12:57:50+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-02-17T12:57:50+05:30	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2026-02-17T12:57:50+05:30	INFO	Detected OS	family="debian" version="12.13"
2026-02-17T12:57:50+05:30	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=4
2026-02-17T12:57:50+05:30	INFO	Number of language-specific files	num=0

gcr.io/distroless/static-debian12@sha256:cd64bec9cec257044ce3a8dd3620cf83b387920100332f2b041f19c4d2febf93 (debian 12.13)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)